Alert issue after kernal update

[JnascECSI]

This morning i ran yum and the kernal was updated. Now all of a sudden i'm having a couple issues and not sure where to go on these.

First i'm getting this message every 5 minutes:
OSSEC HIDS Notification.
2009 Jan 02 08:20:02

Received From: D2540->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jan 2 09:20:01 D2540 kernel: grsec: denied untrusted exec of /usr/lib/mailman/cron/gate_news by /bin/bash[sh:14301] uid/euid:41/41 gid/egid:41/41, parent /usr/sbin/crond[crond:14300] uid/euid:41/41 gid/egid:41/41

Second now all of a sudden Dr Web refuses to start in Plesk:
ERROR: PLeskFatalException
Unable to make action: Unable to manage service by drwebmng: drwebmng: Service /etc/init.d/drwebd failed to start
drwebmng: drweb start failed

--------------------------------------------------------------------------------

0: /usr/local/psa/admin/plib/common_func.php3:190
psaerror(string 'Unable to make action: Unable to manage service by drwebmng: drwebmng: Service /etc/init.d/drwebd failed to start drwebmng: drweb start failed')
1: /usr/local/psa/admin/htdocs/server/restart_services.php:28

Third issue seems to be with IonCube:
Failed loading /usr/lib/php/ioncube/ioncube_loader_lin_5.2.so:
/usr/lib/php/ioncube/ioncube_loader_lin_5.2.so: cannot enable executable stack as shared object requires: Permission denied

Final issue:
PaX/GRESECURITY seems to not be working as it has a Red Button in the ASL GUI.

Anyone else have problems after updating this morning? i'm running Plesk 8.6 latest with Centos 5.2 with Linux 2.6.27.7-9.art.i686.PAE

[scott]

Is gradm installed? That contains all the fixups for things like you're reporting.

[JnascECSI]

Thanks scott,

That seemed to do the trick for Dr.web, but seem to still have the Pax/GRE
issue with it having the red icon.

I'm probably not going to worry about this server anyways since i've migrated most of all the clients off it to a new server not running PAE.

But i do appreciate the help and knowledge i've been giving....

[breun]

See http://www.atomicrocketturtle.com/forum ... 5078#15078 for an explanation of why the ASL kernel is not being detected.

[JnascECSI]

Well seems i'll have to put a ticket in for my production box, seems since yesterday now PaX is showing red also on a non-PAE box after it's daily reboot. Which before it was fine on saturday and everything seemed to work ok.

But my main concern is now since the kernel update a couple shopping carts are having issues with Tiny_MCE when trying to use the Ibrowser.php function of tiny_mce. ANd that is stopping merchants from adding products in their carts.

I believe it's a java issue with tiny_mce because this is the message that pops up when they try and add products. Any one ever see this error?

"403 forbidden error : "you dont have permission to access /catalog/admin/inludes/javascript/tiny_mce/plugins/ibrowser/ibrowswer.php on this server. Apache server for xxxxxxxxxx.com port 443"

[dstanley]

Can you let us know how you get on with this as I use tiny MCE on several applications

[mikeshinn]

Do you see anything in your ASL logs blocking tinymce? If you submit a report I guarantee we will get an update out that day (well as long as its not at midnight or something).

[JnascECSI]

Mike,
This is what triggers when ibrowser is trying to be used. I went into a clients cart and clicked while watching the level 2 events and this came in right after i clicked the ibrowser function.

Signature ID: 50128
Logfile: /var/asl/data/auditnull
Alert information
[modsecurity] [client 70.168.xx.x] [domain www.xxxxxxxxxxx.com] [403] [/20090106/20090106-0822/20090106-082234-TN2dTn8AAAEAAGkUh3IAAAAM] (null)

[mikeshinn]

What do you see in the specific events log? (You need to look at this file as well /20090106/20090106-0822/20090106-082234-TN2dTn8AAAEAAGkUh3IAAAAM within the ASL audit directory)

[JnascECSI]

Here's what i found in that file.

--5c5f082d-A--
[06/Jan/2009:08:22:34 --0500] TN2dTn8AAAEAAGkUh3IAAAAM 70.168.74.2 45330 10.102.150.173 443
--5c5f082d-B--
GET /catalog/admin/includes/javascript/tiny_mce/plugins/ibrowser/ibrowser.php HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2; .NET CLR 3.0.04506.648)
Host: www.xxxxxxxxxxxxx.com
Connection: Keep-Alive
Cookie: osCAdminID=0tbcvu83ss96dspppsnns585u2

--5c5f082d-F--
HTTP/1.1 403 Forbidden
Content-Length: 347
Connection: close
Content-Type: text/html; charset=iso-8859-1

--5c5f082d-H--
Apache-Error: [file "/builddir/build/BUILD/httpd-2.2.3/modules/aaa/mod_authz_host.c"] [line 299] [level 3] client denied by server configuration: /var/www/vhosts/personallypaws.com/httpdocs/catalog/admin/includes/javascript/tiny_mce/plugins/ibrowser/ibrowser.php
Stopwatch: 1231248154271054 14859 (- - -)
Producer: ModSecurity for Apache/2.5.7 (http://www.modsecurity.org/); 200901051040.
Server: Apache/2.2.3 (CentOS)

--5c5f082d-Z--

One other thing i just noticed is that the Security Bullentins in the ASL Web GUI are not showing the latest like it was a couple days ago the last notice update is for December 15. And the inventory does'nt seem to be scanning dailey because the other server is showing some apps which i know are on this box also.

I also went into my other server to a domain running a cart just like it that has tiny_mce and they also are having the same issue only difference with this box is it is a PAE so i know about the PaX issue being out of sync but it's not getting security bullentins neither.

I did open a ticket yesterday because both of these boxes we fine before the kernel update last week. i just have'nt heard from your support crew yet.